Errors in creating short URLs, according to researchers at Cornell Tech University, both in offers of the cloud providers as well as in services of third parties. Too short tokens allow attackers to guess the URL used for sharing. The researchers succeeded in 40 percent of their experiments.
Short URLs of cloud services could make it easier for unauthorized people to access files stored there. Researchers at Cornell Tech University have come to this conclusion in a study (PDF). According to them, the tokens used are often too small. Therefore, the originally used URL of shared files can be guessed. It is then also possible to access these files.
She backed up her statements using the example of the short URL service Bit.ly. The used token with six digits. In their test, the researchers asked for 100 million tokens, at about 42.2 million, they guessed the URL. “Since not all places in Bit.ly URLs appear to be random, there are areas of higher density that would provide valid URLs with a higher hit rate,” the researchers said. In short URL service provider services for cloud providers, researchers have researched Google-generated links to the Google Maps map service. There they could guess 37.5 percent of the underlying URLs.
The researchers also discovered over 3000 links to files and folders on Microsoft’s cloud storage “ondrive.live.com” as well as over 16,500 files and folders on its predecessor “skydrive.live.com”. To guess all the URLs on OneDrive and Skydrive, a client would take about 245,000 days, according to the researchers. They point out, however, “A botnet can easily accomplish this goal in one day, or even faster, if the operator accepts that Bit.ly’s IP addresses are blocked by individual bots.”
Microsoft already know since May 2015 of the security gap. In March of this year, the short URL creation feature for OneDrive was removed. According to the company, however, the cause was not a safety concern. Google was informed by the researchers about the problem with the short URLs in September. One week later, the URL tokens were extended to 11 to 12 characters. This makes it much harder to guess the URLs.
In May 2015, scientists had the Technical University of Darmstadt and experts from the Fraunhofer Institute for Secure Information Technology SIT 56 million unprotected records in cloud databases discovered . These were e-mail addresses, passwords, medical data and other personal information. They came mostly from app users.
According to TU Darmstadt , app developers often use services like Facebook’s Parse and Amazon’s AWS as Backend-as-a-Service (BaaS). However, they often do not take account of the security recommendations of cloud providers or do not implement them correctly. In addition, cloud operators usually offer several authentication methods. The weakest form is a number embedded in the app code. However, the attackers “simply extract it and use it not only to read the stored data, but often even to manipulate it.”
Already in 2009, Kaspersky had warned of other risks of short URLs. The security vendor pointed out at the time that they could be misused in social media for social engineering. Since only the shortened address, but not the actual goal is recognizable, it is easy to lure so users on supposedly relevant or interesting sites, but behind which hide other, such as malware infected hide.